United States Patent and Trademark Office 



UNITED STATES DEPARTMENT OF COMMERCE 
I nilid Stall-, l'atint and Track-mark Office 

Address: COMMISSIONER FOR PATENTS 



APPLICATION NO. 



10/759,241 



FILING DATE 



Ul /I 0/200-1 



68786 7590 03/03/2009 

CHRISTOPHER & WEISBERG, P.A. 
200 EAST LAS OLAS BOULEVARD 
SUITE 2040 

FORT LAUDERDALE, FL 33301 



FIRST NAMED INVENTOR 



ATTORNEY DOCKET NO. CONFIRMATION NO. 



EXD9200300521 Sli 1297-91) 



ALMEIDA, DEVINE 



PAPER NUMBER 



DELIVERY MODE 



Please find below and/or attached an Office communication concerning this application or proceeding. 

The time period for reply, if any, is set in the attached communication. 



PTOL-90A (Rev. 04/07) 



United States Patent and Trademark Office 



Commissioner for Patents 
United States Patent and Trademark Office 
P.O. Box 1450 
Alexandria, VA 22313-1450 

www.uspto.gov 



BEFORE THE BOARD OF PATENT APPEALS 
AND INTERFERENCES 



Application Number: 10/759,241 
Filing Date: January 16, 2004 
Appellant(s): BIRT ET AL. 



Alan M. Weisbery 
Reg # 68786 
For Appellant 



EXAMINER'S ANSWER 



This is in response to the appeal brief filed 12/02/2008 appealing from the Office action 
mailed 9/10/2008. 
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(1) Real Party in Interest 

A statement identifying by name the real party in interest is contained in the brief. 

(2) Related Appeals and Interferences 

The examiner is not aware of any related appeals, interferences, or judicial 
proceedings which will directly affect or be directly affected by or have a bearing on the 
Board's decision in the pending appeal. 

(3) Status of Claims 

The statement of the status of claims contained in the brief is incorrect. A correct 
statement of the status of the claims is as follows: 

This appeal involves claims 10-11, 21-22 and 25-26. 

Claims 1,5,6, 8, 9, 1 2, 1 6, 1 7, 1 9, 20, 23, and 27-30 allowed. 

(4) Status of Amendments After Final 

The appellant's statement of the status of amendments after final rejection 
contained in the brief is correct. 

(5) Summary of Claimed Subject Matter 

The summary of claimed subject matter contained in the brief is correct. 



Application/Control Number: 10/759,241 
Art Unit: 2432 



Page 3 



(6) Grounds of Rejection to be Reviewed on Appeal 

The appellant's statement of the grounds of rejection to be reviewed on appeal is 
substantially correct. The changes are as follows: 
WITHDRAWN REJECTIONS 

The following grounds of rejection are not presented for review on appeal 
because they have been withdrawn by the examiner. The rejection of claims 1 , 5, 6, 8, 
9, 12, 16, 17, 19, 20, 23, and 27-30 have been withdrawn. 

REJECTIONS 

Claim 25 is rejected under 35 U.S.C. 103(a) as being unpatentable over Kair (US 
7,243,148) in further view of Bellemore (5,944,825). 

Claims 10, 1 1 , 21 , 22 and 26 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Kair (US 7,243,148) in view of Bellemore (5,944,825) in further view 
of Dahlstrom et al (2004/0006704). 



(7) Claims Appendix 

The copy of the appealed claims contained in the Appendix to the brief is correct. 

(8) Evidence Relied Upon 

7243148 Keiretal 7-2007 

5944825 Bellemore et al 8-1999 

20040006704 Dahlstrom 1-2004 
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(9) Grounds of Rejection 

The following ground(s) of rejection are applicable to the appealed claims: 

Claim 25 is rejected under 35 U.S.C. 103(a) as being unpatentable over Kair (US 
7,243,148) in further view of Bellemore (5,944,825). 

With respect to claim 25, Kair teaches the method for providing automated 
tracking of security vulnerabilities, comprising: using a computer device to perform a 
security vulnerability assessment on a system (see abstract); detecting the presence of 
a security vulnerability in the system; and responsive to detecting the presence of the 
security vulnerability (see column 13 lines 4-20); storing data obtained from the security 
vulnerability assessment in a security vulnerabilities database (see column 13 lines 4- 
20 and column 17 lines 27-38); determining using a computer program, a security 
vulnerability score, the security vulnerability score being a product of a frequency score, 
a severity score, a criticality score and a trust score (see figure 9-11, 14 and column 62 
line 3 - column 66 line 19), the frequency score based on a percentage of host 
experiencing the detected security vulnerability in the system (see column 64 line 20-50 
i.e. H w H w H L ), the criticality score based on whether at least one of confidential data 
and personal data in on the system (see column 64 lines 51-67). 

Kair fails to explicitly disclose determining a time to fix a security vulnerability 
identified by the security vulnerability assessment of the system based on the 
determined security vulnerability score. 

Bellemore discloses a method of assessing a particular host for security 
vulnerabilities in which he teaches determining a time to fix a security vulnerability 



Application/Control Number: 10/759,241 Page 5 

Art Unit: 2432 

identified by the security vulnerability assessment of the system based on the 
determined security vulnerability score (see Bellemore column 5, lines 16-34). It would 
have been obvious at the time the invention was made to a person having ordinary skill 
in the art to which said subject matter pertains to have given an allotted time for fixing 
the vulnerability before disabling will occur to protect the system (i.e. password 
disabling)(see Bellemore column 5, lines 16-34). Therefore one would have been 
motivated to have set a time limit for security vulnerability to be fixed to increase the 
security of the system. 

Claims 10, 11, 21, 22 and 26 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Kair (US 7,243,148) in view of Bellemore (5,944,825) in further 
view of Dahlstrom et al (2004/0006704). 

With respect to claim 10, 21 , and 26, a method for determining a criticality factor 
for a security vulnerability in a computer system, comprising: Entering in a database 
security vulnerabilities detected in the computer system during a security vulnerability 
assessment (see Kair column 13 lines 4-20 and column 17 lines 27-38). Assigning a 
security vulnerability factor to a detected security vulnerability based upon a criticality of 
an element in the system, a severity of the security vulnerability with the system and 
isolation of the system (see Kair column 62 line 3 - column 66 line 1 9). 

Kair does not teach measuring a frequency of occurrence for the detected 
security vulnerabilities and Assigning a security vulnerability factor to a detected 
security vulnerability based upon the frequency of occurrence of the security 
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vulnerability in the system. Dahlstrom teaches Measuring a frequency of occurrence for 
the detected security vulnerabilities, (see Dahistrom paragraph 0042 and 0067). It 
would have been obvious at the time the invention was made to a person having 
ordinary skill in the art to which said subject matter pertains to have kept track of the 
frequency security vulnerability occurs to provide an overall summaries of vulnerability 
tracking within the organization or with respect to a particular product. The tracking 
information may also include statistical information such as means, medians, ranges, 
and deviations derived by tracking system (see paragraph 0042). Therefore one would 
have been motivated to have tracked the security vulnerability. 

With respect to claim 1 1 and 22, wherein the criticality of an element in the 
system is based on whether at least one of confidential data and personal data in on the 
system and whether information on the element is used aggregation (see column 64 
lines 51-67). 

(10) Response to Argument 

In response to applicant's arguments the recitation "a method for determining a 
criticality factor for security vulnerability in a computer system, comprising:" has not 
been given patentable weight because the recitation occurs in the preamble. A 
preamble is generally not accorded any patentable weight where it merely recites the 
purpose of a process or the intended use of a structure, and where the body of the 
claim does not depend on the preamble for completeness but, instead, the process 
steps or structural limitations are able to stand alone. See In re Hirao, 535 F.2d 67, 190 
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USPQ 15 (CCPA 1976) and Kropa v. Robie, 187 F.2d 150, 152, 88 USPQ 478, 481 
(CCPA 1951). 

The claim reads "entering in a database security vulnerabilities detected in the 
computer system during a security vulnerability assessment" this means more then one 
security vulnerability in contrast to the argument that it is only one security vulnerability. 
Also the terms in the claims are give there broadest reasonable interpretation with that 
said the term computer system does not mean one computer it is reasonable to 
interpret computer system as more the one computer. 

Applicant's arguments have been fully considered but they are not persuasive. 
Kair teaches the vulnerability score is a product of a frequency score, a severity score, a 
criticality score and a trust score. Kair teaches F (the security vulnerability score) is 
computed by F = 100-V-E. Where V = min(70, (70V h H h + 42V m H m + 14V,H, ) / H„)) and E 
= min(30, X from y=1 to H n {Ry + Wy + 30Ty}. In column 64 line 20-50 Kair teaches the 
frequency score is based on a percentage of host experiencing the detected security 
vulnerability in the system. This is calculated in the V part of the security vulnerability 
score where H H H w H L make up the number of host that have high, medium and low 
vulnerabilities on them. The severity score is also calculated in the V part of the security 
vulnerability score where high vulnerability are multiplied by 70 (root access) medium by 
42 and low by 14. In column 66 lines 4-19 Kair teaches the criticality score is based on 
whether at least one of confidential data and personal data in on the system. This is 
calculated in the E part of the security vulnerability score Ty the number of nodes with 
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Trojan horse that can get access to usernames passwords resources and host data on 
a node. The isolation score is calculated in the E part of the security vulnerability score 
Wy the number of wireless access points found on a host y. 

(11) Related Proceeding(s) Appendix 

No decision rendered by a court or the Board is identified by the examiner in the 
Related Appeals and Interferences section of this examiner's answer. 

For the above reasons, it is believed that the rejections should be sustained. 

Respectfully submitted, 

/Devin Almeida/ 
Examiner, Art Unit 2432 
2/23/2009 

Conferees: 

/Benjamin E Lanier/ 

Primary Examiner, Art Unit 2432 

/Gilberto Barron Jr./ 

Supervisory Patent Examiner, Art Unit 2432 



